PDF malware analysis — malicious · cbc4ca269655d752

MALICIOUS

PDF

65.6 KB Created: 2021-03-23 13:03:20 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 60083b36f371da5eafeeb897d6b46538 SHA-1: e3fe59a8e5b68551e099274a5d6547e60f08b6ed SHA-256: cbc4ca269655d7522093b16bb75732fc4ac58ea81f971ed7012a55124ac06ae5

124 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous embedded URLs, many of which point to disposable hosting and are used in a link farm pattern. The primary URL, 'https://jumiwimov.ru/strik?utm_term=troy+bilt+riding+lawn+mower+for+sale+near+me', suggests a lure related to product searches. ClamAV detection and ML classification indicate malicious intent, likely phishing or malware distribution.

Machine Learning

Nyx PDF Classifier malicious score 0.8273

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://jumiwimov.ru/strik?utm_term=troy+bilt+riding+lawn+mower+for+sale+near+me
- http://fruitslope.online/jacques_vert_dress_size_guide754ya.pdf
- http://good-production20.site/zumupipovibipisorasebof5cy92.pdf
- http://oneplusonemain.xyz/what_to_get_my_boss_for_her_40th_birthdaysy107.pdf
- http://itfamily.pro/black_and_decker_mega_mouse_sander_instructionsv0h1s.pdf
- http://businesshelpservice.com/pobafixufizeo6w75.pdf
- http://gapewikegolunop.iblogger.org/79080220153.pdf
- https://cdn.sqhk.co/zolokike/jhhgjdW/viwojipamewepisi.pdf
- http://beguwidip.scienceontheweb.net/lural.pdf
- https://cdn.sqhk.co/kovixileta/ibiiljb/puvuzizetirenunudevujumog.pdf
- http://duvejajenivogik.getenjoyment.net/1217171726.pdf
- http://limigulel.iblogger.org/21944368452.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/widuxade/how_much_does_lotus_car_cost.pdf
- http://vijanemafe.rf.gd/activate_windows_8._1_pro_32_bit.pdf
- https://s3.amazonaws.com/doxifuba/amplified_bible_classic_edition.pdf
- http://nudobovedazopor.epizy.com/traditional_vietnamese_dance_videos.pdf
- http://zoletafexogixa.epizy.com/scatter_plot_worksheet_2_answer_key.pdf
- https://s3.amazonaws.com/sivanira/biology_diffusion_and_osmosis_worksheet_answers.pdf
- https://s3.amazonaws.com/bupaxomu/el_capital_karl_marx_tomo_1_vol_1.pdf
- https://ddd59a73-be73-4575-bd7b-2e5900175f8b.filesusr.com/ugd/5dc0ef_1044d62f2ff64aabb0c7d93eb3bf81bc.pdf?index=true
- https://4bf641bf-117a-4913-931f-55e49063997f.filesusr.com/ugd/5befcb_0c7b16ff06b84dcebed1d0ca804defff.pdf?index=true
- https://3f9320ff-391d-49df-b192-c557e211a93c.filesusr.com/ugd/469aea_5042aee3efbf45a1af5fd73ed4f78ccf.pdf?index=true
- http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000edc1.bin` `8bcc5b3f165ae7d587ff8b2949dba0b334f7f9a4ad07b0eec275f4452658cc25`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEDC1	5508 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.